This site is now 100% read-only, and retired.

HELO restrictions for Exim4

Posted by Steve on Wed 7 Jun 2006 at 16:21

One thing that I've noticed on my mailserver in recent months has been a large number of spam mails which identify themselves as being sent from my own IP address. Since they never are blocking them is a useful thing to do before any more intensive filtering is done.

When a mail is delivered to your mailserver the following happens:

  • The mail server accepts the incoming connection.
  • The client, delivering the mail, identifies itself using the HELO/EHLO command.
  • The server approves this identification, and more dialog happens.

The client is supposed to use its own name/IP as a parameter to the HELO message, but increasingly this is being abused and clients will identify themselves as the IP address of the mail server to which they are connecting.

There are two simple ways to stop this:

  • Configure Exim4 to deny messages which come from hosts which greet the server with its own IP address.
  • Create a small text file containing IPs/names from which you don't wish to accept mail, and add your own IPs to it.
Configuration File

Exim4 may be configured in two different ways on Debian systems, either using a single monolithic file, or a "split configuration".

I prefer the split configuration, and believe this is the default behaviour, if that is the case then the file you wish to modify is going to be /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt.

If you have the monolithic configuration then you'll need to find the relevant section inside the file /etc/exim4/exim4.conf.

Automatic Configuration

Because exim knows which IP address it is listening upon it can be configured to drop messages which use that IP address in their HELO greeting.

This solves part of the problem, but it doesn't avoid senders identifying themselves as localhost, or localhost.localdomain.

Open the configuration file and look for the section labelled acl_check_rcpt:. After that add:

  # Forged hostname -HELOs as one of my own IPs
  deny message = Forged IP detected in HELO: $sender_helo_name
    log_message = Forged IP detected in HELO: $sender_helo_name
    condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

This tests the name used in the HELO connection by the sender (sender_helo_name) against the IP address exim is listening upon (interface_address). If there is a match the message is rejected.

Manual Configuration

Manual configuration will allow you to block arbitary connections based upon the host the client identified itself as.

The downside is that you will have to remember to update your list of rejected addresses/names if you change your servers IP address.

The configuration is very similar to the previous example, we just need to create a list of addresses to deny in a file.

I have /etc/exim4/reject/helo which contains:

127.0.0.1
localhost
localhost.localdomain
80.68.80.176

The configuration snippet looks like this:

  #
  # Do not accept messages from hosts using our IPs in HELO
  #
  deny message     = Forged IP in HELO.
       log_message = HELO is our IP
       condition   = ${lookup {$sender_helo_name} \
                     lsearch{/etc/exim4/reject/helo} \
                     {yes}{no}}

Here we lookup the name the client connected with in the file /etc/exim4/reject/helo - and if it matches then we reject the message.

This is such a small change that it seems almost pointless making, but it does have a surprising effectiveness.

When Exim drops a message it will log it in /var/log/exim4/rejectlog. Looking in there I can see that there have been almost 100 messages dropped by this solution:

steve@skx2:~$ grep HELO /var/log/exim4/rejectlog | wc -l
96

 

 


Re: HELO restrictions for Exim4
Posted by stevenbdjr (67.151.xx.xx) on Wed 7 Jun 2006 at 17:55
I should also mention that it's helpful to drop/reject connections from hosts that present your domain names or mail server name in the HELO as well. Using your second solution (via lookup), this can be done by simply putting your domain names in the file as well as your IP addresses.

Personally, I drop all connections from sending hosts that use my hostnames, ANY IP (as the spec calls for a hostname), or doesn't HELO at all. I have had no false positivies with this in over 2 years. In the rare case of an FP with some of these rules, I maintain a hostlist called helo_check_exemptions, although right now that list is an empty file. :)

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Anonymous (62.252.xx.xx) on Wed 7 Jun 2006 at 18:12
There's no requirement in the (E)SMTP protocols for a HELO to contain anything useful at all. You're better off not basing any policies on HELO statements.

[ Parent ]

Re: HELO restrictions for Exim4
Posted by daemon (196.25.xx.xx) on Wed 7 Jun 2006 at 22:49
[ View Weblogs ]
I beg to differ, so you might want to read up on rfc2821 again, so to quote from the source itself (page 29):
4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)

These commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available. In situations in which the SMTP client system does not have a meaningful domain name (e.g., when its address is dynamically allocated and no reverse mapping record is available), the client SHOULD send an address literal (see section 4.1.3), optionally followed by information that will help to identify the client system. y The SMTP server identifies itself to the SMTP client in the connection greeting reply and in the response to this command.
Fair enough, the passage uses "SHOULD" rather than "MUST" but it's clear enough to me that the EHLO/HELO needs to contain something relevant. What it boils down to is: If a server is so badly configured that it can't manage to get it's greeting right, or at least close enough to right to not think it's you, do you really want mail from them? I guess that's OK if you're looking for stock tips or physical enhancements, but for normal non-pork-related messaging, I'm happy enough to cull non-compliant connections. Cheers.

[ Parent ]

Re: HELO restrictions for Exim4
Posted by haden (193.219.xx.xx) on Wed 7 Jun 2006 at 18:15
I'm using some more tests (most ideas gathered from various mailling lists):
--
# Accept from our relay clients - they don't know any better
accept
hosts = +relay_from_hosts

# Invalid HELO/EHLO
deny condition = ${if match \
{$sender_helo_name}{\N^[^.:].*[.:][^.:]+$\N}\
{no}{yes}}
message = HELO/EHLO must contain a FQDN or IP literal see RFC 2821 section 4.1.1.1

# Invalid HELO/EHLO - Ip address without []
deny condition = ${if isip{$sender_helo_name}{yes}{no}}
message = HELO/EHLO can't be plain IP. See RFC 2821 section 4.1.1.1

# Deny one which pretends to be us
deny condition = ${if match_domain{$sender_helo_name}{mail.xxx.xx : xxx.xx}{yes}{no}}
message = Invalid HELO/EHLO. You are NOT [mail].xxx.xx.

# Deny one which claims to have our IP
deny condition = ${if eq{$sender_helo_name}{[XX.XX.XX.XX]}{yes}{no}}
message = Invalid HELO/EHLO. You can't have my IP

[ Parent ]

Re: HELO restrictions for Exim4
Posted by cyrilferaudet (81.57.xx.xx) on Wed 7 Jun 2006 at 19:20
I found this kind of restriction a little dangerous. This cause mail rejecting of non-spam mail if a server is misconfigured ...

Have a look on greylisting ( apt-get install greylistd ) for reduce amount of spam.

I'use a homework (debianized soon ...) variant of greylistd who use a filesystem tree as database (shareable by nfs) cause greylistd use a big amount of memory if you receive, like one of my installation, more than 30 mails/s.

Cyril Feraudet

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Steve (62.30.xx.xx) on Wed 7 Jun 2006 at 19:37
[ View Weblogs ]

I think if your server is misconfigured almost any configuration could be dangerous! (Unless you mean the senders' server?)

We've certainly looked at greylisting in the past and I found it very useful. Think of this as a nice complement to it, rather than a replacement!.

Steve

[ Parent ]

Re: HELO restrictions for Exim4
Posted by cyrilferaudet (81.57.xx.xx) on Wed 7 Jun 2006 at 19:55
Helo Steve,

with by bad english speaking I wanted to say "if the sender's server is misconfigured ..." ;-)

Cyril Feraudet

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Anonymous (65.185.xx.xx) on Mon 4 Jun 2007 at 02:02
If the sender's server is misconfigured so badly the hello is screwed up, I don't want mail from them because chances are they're also an open relay.

[ Parent ]

Re: HELO restrictions for Exim4
Posted by sabin (213.94.xx.xx) on Thu 8 Jun 2006 at 07:31
[ View Weblogs ]
I was always wondering how to create some kind of 'blacklist' for exim.. that helped. though this configuration seems to block fetchmail localy for example.. is it possible that it blocks mails sent within a domain? like user@domain.org to user2@domain.org?

log:

2006-06-08 08:24:49 H=localhost [127.0.0.1] F=<> rejected RCPT fetchmail@localhost: HELO is our IP


I got the following entries in my reject file:

#local
127.0.0.1
localhost
localhost.localdomain
85.90.. my external IP

greets!

./sabin -s

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Steve (62.30.xx.xx) on Thu 8 Jun 2006 at 09:48
[ View Weblogs ]

Well it is working as desired! You're connecting from "localhost" and localhost is being blocked!

Here you have a couple of choices:

  • Remove localhost from the blocklist so that it isn't going to block your use of fetchmail
  • Add an exception to the ruleset.

I think that this would work:

  #
  # Do not accept messages from hosts using our IPs in HELO
  #
  deny message     = Forged IP in HELO.
       log_message = HELO is our IP
       !hosts      = +relay_from_hosts
       condition   = ${lookup {$sender_helo_name} \
                     lsearch{/etc/exim4/reject/helo} \
                     {yes}{no}}

The intention is to block connections from the matched "helo" name unless the user has authenticated already. This does rely upon relay_from_hosts being defined and setup appropriately - so you might need to fiddle with to a little.

I'm a bit hazy on how fetchmail works, but I did think it only pulled mail - so it should be connecting to POP3/IMAP rather than SMTP, right?

As for blocking user1/user2 I'm not clear on what you're asking..

Steve

[ Parent ]

Re: HELO restrictions for Exim4
Posted by sabin (193.171.xx.xx) on Thu 8 Jun 2006 at 11:15
[ View Weblogs ]
nevermind the user1 user2 question.. it turned out to be fine.

However.. concerning the localhost block: I did what you suggested and it seems to work pretty fine.

Thanks a lot for your quick reply!

greets, Sabin

./sabin -s

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Anonymous (81.183.xx.xx) on Tue 27 Jun 2006 at 13:07
if you deny or drop any emails in some acl_helo_check then exim doesnt know where TO send BACK those funny error messages you want to be sent -eg. "forged ip in helo" - forasmuch she has not got the $mail_from yet.

[ Parent ]

Re: HELO restrictions for Exim4
Posted by Anonymous (217.169.xx.xx) on Thu 6 Jul 2006 at 11:43
Think carefully before implementing this block on HELO. Can you really be sure that no legitimate program on your own system tries to send mail by connecting to localhost:25 or myhostname:25, rather than running mail/sendmail/exim directly?
I'm not sure the benefit from this kind of blanket ban outweighs the risk -- the risk is small, but the benefit seems very marginal on a system running a comprehensive spam detector.

[ Parent ]

a HELO shlt-list
Posted by Anonymous (195.204.xx.xx) on Tue 26 Sep 2006 at 22:29
Great, now I have a weapon to reject HELOs I dont like.

Thanks for the article!

[ Parent ]

Re: a HELO shlt-list
Posted by Anonymous (79.146.xx.xx) on Sat 8 Apr 2017 at 12:01
#BEGIN ACL_SMTP_HELO_BLOCK

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{ylmf-pc}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{sbcglobal.net}}
drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{(sbcglobal.net)}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{(outlook.com)}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{outlook.com}}

deny
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{(ylmf-pc)}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{mail.localhost.com}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{alicelik.org}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{pjts.com}}


drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{hinet.net}}


drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{localhost}}


drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{User}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{host.sfsb.hr}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{mail.example.org}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{enlavilla.es}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{plusmultimedia.es}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{127.0.0.1}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{(127.0.0.1)}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{185.18.16.6}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{(185.18.16.6)}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{185.18.16.5}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{wqle.com}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{bwvp.com}}

drop
message = Bad HELO - Fuck of
condition = ${if eq{$sender_helo_name}{recreativohuelva.com}}

#END ACL_SMTP_HELO_BLOCK

[ Parent ]

Re: a HELO shlt-list
Posted by Chema_Mateos (79.146.xx.xx) on Sat 8 Apr 2017 at 12:06
This lines, that I just wrote how Anonimous; are only for EXIM.
Must be just under: #BEGIN ACL_SMTP_HELO_BLOCK
And before: #END ACL_SMTP_HELO_BLOCK

[ Parent ]